Chat now with support
Chat with Support

Identity Manager 8.1.2 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP systems Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Managing SAP R/3 environments

One Identity Manager offers simplified user administration for SAP R/3 environments. One Identity Manager concentrates on setting up and processing user accounts as well as groups, roles, and profiles assignments. External identifiers and parameters can also be assigned to user accounts. The necessary data for system measurement is also mapped. The system measurement data is available in One Identity Manager, but the measurement itself takes place in the SAP R/3 environment.

One Identity Manager provides company employees with the user accounts required to allow you to use different mechanisms for connecting employees to their user accounts. You can also manage user accounts independently of employees and therefore set up administrator user accounts.

Groups, roles, and profiles are mapped in One Identity Manager, in order to provide the necessary permissions for user accounts. Groups, roles, and profiles can be grouped into products and assigned to employees. One Identity Manager ensures that the right group memberships are created for the employee’s user account.

If user accounts are managed through the central user administration (CUAClosed) in SAP R/3, access to the child client can be guaranteed for or withdrawn from user accounts in One Identity Manager.

Architecture overview

The following servers in SAP R/3play a role in managing an One Identity Manager environment:

  • SAP R/3 application server

    Application server on which synchronization is executed The synchronization server connects to this server in order to access SAP R/3 objects.

  • SAP R/3 database server

    Server on which the SAP R/3 application database is installed.

  • Synchronization server

    The synchronization server for synchronizing data between One Identity Manager and SAP R/3. The One Identity Manager Service with the SAP R/3 connector is installed on this server. The synchronization server connects to the SAP R/3 application server.

  • SAP R/3 router

    Router which provides a network port to the SAP connector for communicating with the SAP R/3 application server.

  • SAP R/3 message server

    Server with which the SAP R/3 connector communicates during login if a direct connection to application servers is not permitted.

The SAP R/3 One Identity Manager connector executes synchronization and provision of data between SAP R/3 and the One Identity Manager database. The SAP R/3 connector uses the SAP connector for Microsoft .NET (NCo 3.0) for 64-bit systems for communicating with the target system.

One Identity Manager is responsible for synchronizing data between the SAP R/3 database and the One Identity Manager Service. The application server ABAP must be installed as a prerequisite for synchronization. An SAP R/3 system that is only based on a Java application server cannot be accessed with the SAP connector.

Figure 1: Architecture for synchronization - Direct communication

Figure 2: Architecture for synchronization - Communication through message server

Figure 3: Architecture for synchronization - Communication through router

One Identity Manager users for managing an SAP R/3 environment

The following users are used for setting up and administration of a SAP R/3 system.

Table 1: Users
User Tasks
Target system administrators

Target system administrators must be assigned to the Target systems | Administrators application role.

Users with this application role:

  • Administer application roles for individual target system types.

  • Specify the target system manager.

  • Set up other application roles for target system managers if required.

  • Specify which application roles for target system managers are mutually exclusive.

  • Authorize other employees to be target system administrators.

  • Do not assume any administrative tasks within the target system.

Target system managers

Target system managers must be assigned to the Target systems | SAP R/3 application role or a child application role.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change, or delete target system objects like user accounts or groups.

  • Edit password policies for the target system.

  • Prepare system entitlements to add to the IT Shop.

  • Can add employees who have an other identity than the Primary identity.

  • Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

One Identity Manager administrators
  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

  • Create and configure password policies as required.

Administrators for the IT Shop

Administrators must be assigned to the Request & Fulfillment | IT Shop | Administrators application role.

Users with this application role:

  • Assign system entitlements to IT Shop structures.

Administrators for organizations

Administrators must be assigned to the Identity Management | Organizations | Administrators application role.

Users with this application role:

  • Assign system entitlements to departments, cost centers, and locations.

Business roles administrators

Administrators must be assigned to the Identity Management | Business roles | Administrators application role.

Users with this application role:

  • Assign system entitlements to business roles.

Setting up SAP R/3 synchronization

One Identity Manager supports synchronization with SAP systems for the following versions:

  • SAP Web Application Server 6.40

  • SAP NetWeaver Application Server 7.00, 7.01, 7.10, 7.11, 7.20, 7.31, 7.40, 7.40 SR 2 and 7.50

  • SAP ECC 5.0 and 6.0

  • SAP S/4HANA On-Premise edition

Central User Administration is supported for all versions named here.

NOTE: The application server ABAP must be installed as a prerequisite for synchronization. An SAP R/3 system that is only based on a Java application server cannot be accessed with the SAP connector.

To load SAP R/3 objects into the One Identity Manager database for the first time

  1. Prepare a user account with sufficient permissions for synchronizing in SAP R/3.
  2. Install the One Identity Manager Business Application Programming Interface in the SAP R/3 system.
  3. The One Identity Manager parts for managing SAP R/3 systems are available if the "TargetSystem | SAPR3" configuration parameter is set.

    • In the Designer, check if the configuration parameter is set. Otherwise, set the configuration parameter and compile the database.

    • Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.
  4. Download the installation source for the SAP .Net Connector for .NET 4.0 on x64, with at least version 3.0.15.0.
  5. Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
  6. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents